Download presentation
Published byCorey Sanders Modified over 8 years ago
1
Security Pattern Assurance through Round-Trip Engineering
Amnon H. Eden School of Computer Science & Electronic Engineering University of Essex
2
Abstract Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making, modelling and enforcing design decisions involving security patterns: Making design decisions, by creating a guide for the transition from requirements to tactics and from tactics to patterns Modelling design decisions, by capturing the constraints that each security pattern imposes clearly, precisely and with minimal effort Enforcing design decisions, by developing tools for fully automated conformance checking
3
Contents Making design decisions Modelling design decisions
From requirements to tactics to patterns Modelling design decisions Structure: Codecharts Behaviour: Temporal logic Enforcing design decisions Tool support Round-trip engineering
4
Example Requirement: withstand attacks —————————————
1 Example Requirement: withstand attacks ————————————— Make design decision Tactics: Limit Exposure Pattern: Check Point Codify the decision Structure: Codecharts) Behaviour: Temporal logic Enforce the decision Map pattern to implementation Verify with the Toolkit 2 3
5
Project Security Pattern Assurance through Round-trip Engineering
LENS (Line-funded Exploratory New Starts) Software Engineering Institute, Carnegie-Mellon University $125K Rick Kazman SEI & U of Hawaii Abdullah Alzahrani U of Essex Jungwoo Ryoo Penn State Rob Wojcik SEI Amnon H. Eden U of Essex Gary Chastek SEI
6
Making design decisions
Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Requirements Tactics Patterns Making design decisions
7
Tactics Fine-grained design objectives
Each contributes to one quality attribute: Availability Interoperability Modifiability Performance Security Testability Usability (Bass, Clements, Kazman 2012)
8
Tactics hierarchy (Ryoo, Kazman & Laplante 2012)
9
Guide Tactics Patterns:
Single Access Point, Check Point, Roles, Session, Full View with Errors, Limited View, Security Access Layer, Intercepting Validator, Secure Logger, …
10
Modelling design decisions: Structure
Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Codecharts Modelling design decisions: Structure
11
Single Access Point (SAP) pattern
Intent Defines one interface for all communication between external entities and secured components Participants External Entities Internal Entities Single Access Point (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, Sommerlad ) (Wasserman & Cheng 2003)
12
SAP: structure The class Single Access Point is the only one that interacts with external entities Single Access Point is an appropriate place for capturing an information log on the parties currently accessing the system (Wasserman & Cheng 2003)
13
Security patterns Check Point pattern Intent Participants
A component that intercepts and monitors all incoming requests. In case of violations then it is responsible for taking appropriate countermeasures Participants CheckPoint Countermeasure SecurityPolicy (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, Sommerlad ) (Wasserman & Cheng 2003)
14
Security patterns: structure
Check Point pattern (cont.) CheckPoint implements a method to check messages according to the current security policy and triggers countermeasures or allows the message to proceed to the intended recipient Countermeasure provides actions that can be triggered in order to react to an access violation SecurityPolicy implements the rules that determine whether a request is granted (Wasserman & Cheng 2003)
15
Modelling structure Check Point (Wasserman & Cheng 2003)
Class Diagrams Check Point (Wasserman & Cheng 2003)
16
Modelling structure Check Point (Wasserman & Cheng 2003)
Class Diagrams 3. Is it class “CheckPoint”? 1. Which method calls which? 2. What’s this? Check Point (Wasserman & Cheng 2003)
17
Modelling structure Check Point (Wasserman & Cheng 2003)
Codecharts Call(checkRequestcheckPoint,TriggercounterMeasure) InternalEntities : P CLASS counterMeasure : CLASS checkPolicy : SIGNATURE Trigger : P SIGNATURE Check Point (Wasserman & Cheng 2003)
18
Modelling structure CheckPoint
Codechart Modelling structure Schema singleAccessPoint, checkPoint, counterMeasure, securityPolicy : CLASS InternalEntities : P CLASS access, checkPolicy, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE Call(accesssingleAccessPoint, checkRequestcheckPoint) Call+(checkRequestcheckPoint, SecureActionsInternalEntities) … CheckPoint Check Point (Wasserman & Cheng 2003)
19
Modelling structure CheckPoint encapsulates the security policy
Class Diagrams CheckPoint encapsulates the security policy Many policies Þ many CheckPoints Common? Unique? One concrete CP or many? Check Point (Schumacher et al. 2006)
20
CheckPointHierarchy : HIERARCHY
Codechart Modelling structure Schema CheckPointHierarchy : HIERARCHY CheckPointHierarchy : HIERARCHY access, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE singleAccessPoint, counterMeasure : CLASS InternalEntities : P CLASS Call(accesssingleAccessPoint, checkRequestcheckPointHierarchy) Call(accesssingleAccessPoint, SecureActionsInternalEntities) … CheckPoint2 Check Point (Schumacher et al. 2006)
21
Modelling structure: Codecharts
Methods, sets, signatures Precise criterion of correctness Communication; verification; automation, … Variations become evident Check Point (Wasserman et. al 2003) Check Point (Schumacher et al. 2006)
22
Modelling design decisions: Behaviour
Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Codecharts Modelling design decisions: Behaviour
23
Security patterns: behaviour
CheckPoint checks if msg conforms to the policy. If no, triggers a countermeasure If yes, allows msg to proceed to the intended recipient Countermeasure reacts to an access violation when triggered Client receives granted/denied access message … Check Point (Wasserman & Cheng 2003)
24
Modelling behaviour Check Point (Wasserman & Cheng 2003)
Sequence Diagrams Limited abstractions Difficult to represent global constraints Limited tool support in verification Check Point (Wasserman & Cheng 2003)
25
Problematic integration
Modelling behaviour Statecharts Limited to FSAs Problematic integration Check Point (Wasserman & Cheng 2003)
26
Modelling behaviour Temporal Logic W (CheckPoint.denyAccess Þ à CounterMeasure.triggered) W (CheckPoint.denyAccess Þ Client.fail U Client.idle) W (CheckPoint.grantAccess Þ (à Client.succeed) U Client.idle) Availability Check Point (Wassermann & Cheng 2003)
27
Enforcing design decisions
Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Automated verification The TTP Toolkit Enforcing design decisions
28
Check Point: implementation
Java Authentication & Authorization Service (JAAS) Java implementation of Pluggable Authentication Module (PAM) Information security framework Originally developed for Solaris operating system Other implementations: PAMLinux Used: Apache Web server validate each HTTP request according to a configured activation sequence Implements the Check Point pattern
29
Security patterns: structure
Apparent similarity… Check Point Pattern JAAS
30
Enforcing structure Assignment of constants to variables Check Point
31
Enforcing structure: verification
32
Enforcing structure: automation
Result Assignment Check Point
33
Enforcing behaviour: verification
Wasserman & Cheng (2003): Technique: model checking Tools: MINERVA (Campbell et al. 2002): check consistency of UML HYDRA (McUmber & Cheng): UML Promela SPIN (Holzman 1997): Model checker Systems tested: small examples Manual Manual (Wasserman & Cheng 2003)
34
Enforcing structure: Verification
JUnit “ArrayList Satisfies JUnit” Assignment ArrayList JUnit example: ArrayList
35
Round-trip engineering
Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Round-trip engineering
36
Forward, reverse, & round-trip
(Eden, Gasparis, Nicholson & Kazman, forthcoming)
37
Modelling: detailed
38
Implementation Java 3D
39
Modelling: abstract Java 3D
40
Code analysis Java 3D
41
Verification Successful Java 3D
42
Modelling patterns
43
Verifying patterns (structural conformance to)
Java 3D Implements Factory Method Factory Method in Java 3D
44
Implementation: evolve
Careless change
45
Verification (again)
46
Visualization Package java.util.logging
47
Modelling: evolve
48
Modelling formats Textually(XML) Visually (Codechart) Symbolically
<?xml version=”1.0” encoding=”ISO ”?> <?xml-stylesheet type="text/xsl" href=" <schema xmlns=" title="Factory Method" xmlns:xsi=" xsi:schemaLocation=" <description>The Factory Method design pattern</description> <declarations> <declare> <variable value="Factories" /> <variable value="Products" /> <type value="HIERARCHY" exponent="1" /> </declare> <variable value="factoryMethod" /> <type value="SIGNATURE" exponent="0" /> </declarations> <formulas> <formula> <predicatesymbol value="Isomorphic" /> <relationsymbol value="Produce" transitive="false" /> <superimposition> </superimposition> </formula> </formulas> <!--Generated using the TTP Toolkit on Tue Nov 27 17:42:25 GMT > </schema> Textually(XML) Visually (Codechart) Symbolically (Schema) Factory Method pattern
49
Sidebar: Codecharts
50
Desiderata Automatically verifiable Modelling & visualization
Formal & practical Elegant & parsimonious Visual & symbolic Object-oriented Scalable Generic LePUS3 Vocabulary (Eden & Nicholson 2011)
51
Inspiration: blueprints
52
Visual & symbolic CheckPoint2
Codechart Visual & symbolic Schema CheckPointHierarchy : HIERARCHY access, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE singleAccessPoint, counterMeasure : CLASS InternalEntities : P CLASS Call(accesssingleAccessPoint, checkRequestcheckPointHierarchy) Call(accesssingleAccessPoint, SecureActionsInternalEntities) … CheckPoint2 Check Point (Schumacher et al. 2006)
53
Parsimony “Each Scene Graph State class defines a factory method that creates and returns the respective Scene Graph Object” Java 3D (Eden et al. 2013)
54
Scalability Java 3D API
55
Genericity (Monson-Haefel, 2001, Enterprise JavaBeans) Implemented
“Every bean [class] obtains an EJBContext object, which is a reference to the container “The home interface extends the ...javax.ejb.EJBHome interface “A home [interface] may have many create() methods, … , each of which must have corresponding ejbCreate() and ejbPostCreate() methods in the bean class. The number and datatype of the arguments of each create() are left up to the bean developer” “When a create() method is invoked on the home interface, the container delegates the invocation to the corresponding ejbCreate() and ejbPostCreate() methods on the bean class An implementation for the bean’s home interface is generated by the container.” Implemented User-defined (Monson-Haefel, 2001, Enterprise JavaBeans)
56
Formal method A method is formal if it has a sound mathematical basis which provides the means of precisely defining— Specification Implementation correctness A (formal) specification language: Set Syn (syntactic domain) Set Sem (semantic domain) Relation Sat between them (Guttag, Horning & Wing 1982; Wing 1990)
57
Definitions (Wing 1990)
58
Definitions (Eden & Nicholson 2011)
59
Semantics (Eden & Nicholson 2011)
60
Sidebar: Visualization
61
Inspiration: maps London, England
62
Visualization: Tools SHriMP Class Blueprints Rigi (Ducasse & Lanza 2005; Story et al. 2002; Muller & Klashinski 1988)
63
CC 439: Software Design and Architecture, Autumn term 2006/7
Visualization: Tools Microsoft Foundation Classes (Booch Notation) (Odenthal & Quibeldey-Cirkel 1997) Dr Amnon H Eden, Department of Computer Science, University of Essex
64
CC 439: Software Design and Architecture, Autumn term 2006/7
JBuilder 7 Visualization: Tools Package java.util (Gasparis 2010) Dr Amnon H Eden, Department of Computer Science, University of Essex
65
CC 439: Software Design and Architecture, Autumn term 2006/7
Fujaba Tool Suite 5 Visualization: Tools Package Java3D 1.5 (Maniati 2008) Dr Amnon H Eden, Department of Computer Science, University of Essex
66
CC 439: Software Design and Architecture, Autumn term 2006/7
NetBeans 6.1 Visualization: Tools Package java.util (Gasparis 2010) Dr Amnon H Eden, Department of Computer Science, University of Essex
67
CC 439: Software Design and Architecture, Autumn term 2006/7
NetBeans 6.1 Visualization: Tools Package Java3D 1.5 (about 1,200 classes) (Maniati 2008) Dr Amnon H Eden, Department of Computer Science, University of Essex
68
Visualization: Toolkit
CC 439: Software Design and Architecture, Autumn term 2006/7 Visualization: Toolkit Package JGraph (Eden & Nicholson 2011) Dr Amnon H Eden, Department of Computer Science, University of Essex
69
Visualization: Toolkit
Package java.io
70
Visualization: Toolkit
Package java.awt
71
Visualization: Toolkit
Set Relations JGraph java.util.logging
72
Visualization: Toolkit
Package java.jgraph
73
Visualization: Toolkit
Java Authentication & Authorization (JAAS)
74
Future directions
75
Runtime verification Enforce behavioural design decisions
Specified in LTL, Statecharts, sequence diagrams, … A.k.a. runtime monitoring Technique: Monitor program’s execution / read execution trace Determine conformance to specifications Violations trigger actions Languages & tools Eagle (Barringer, Goldberg, Havelund & Sen 2003) Parameterized RuleR (Barringer, Rydeheard & Havelund 2010) PathExplorer (Havelund & Roşu 2001) MOP (Chen & Roşu 2007)
76
Thank you
77
Bibliography Codecharts www.lepus.org.uk
Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Codecharts A.H. Eden, J. Nicholson. Codecharts: Roadmaps and Blueprints for Object-Oriented Programs. Wiley-Blackwell, 2011 A.H. Eden, E. Gasparis, J. Nicholson, R. Kazman (2013). “Modeling and Visualizing Object-Oriented Programs with Codecharts”. Formal Methods in System Design, 43(1), 1–28 A.H. Eden, E. Gasparis, J. Nicholson. “LePUS3 and Class-Z Reference Manual”. University of Essex, Tech. Rep. CSM-474 (2007). Toolkit A.H. Eden, E. Gasparis, J. Nicholson, R. Kazman.“Round-Trip Engineering with the TTP Toolkit”. Forthcoming Amnon H Eden, Department of Computer Science, University of Essex
78
Bibliography Research project
Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Research project J. Ryoo, R. Kazman, A.A.H. Alzahrani, A.H. Eden. “Designing for Security Using Tactics, Patterns, and Automated Verification”, in preparation Tactics Bass, L., Clements, P., & Kazman, R. (2012). Software Architecture in Practice, 3rd ed. (3rd ed.). Addison-Wesley Professional. J. Ryoo, R. Kazman, and P. Laplante, “Revising a Security Tactics Hierarchy through Decomposition, Reclassification, and Derivation”, The 6th Int’l Conf. Software Security & Reliability, Wash. D.C., 2012 Catalogues Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P. (2006). Security Patterns: Integrating Security and Systems Engineering. Wiley Wassermann, R., Cheng, B. H. C. (2003). “Security Patterns.” Presented at the Pattern Languages of Programs—PLoP 2003 Amnon H Eden, Department of Computer Science, University of Essex
79
Bibliography Runtime verification
Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Runtime verification Barringer, H., Goldberg, A., Havelund, K., & Sen, K. (2003). Eagle monitors by collecting facts and generating obligations. Tec. Rep. CSPP-26, U. of Manchester, Dept. of Computer Science. Barringer H, Rydeheard D, Havelund K. Rule systems for run-time monitoring: from EAGLE to RULER. J. of Logic & Comp. 2010, 20(3) Havelund K, Roşu G. Monitoring java programs with java PathExplorer. ENTCS. 2001, 55(2) Chen F, Roşu G. Mop: an efficient and generic runtime verification framework. SIGPLAN Not. 2007, 42(10) Formal methods Guttag J., Horning J., Wing J. “Some Notes on Putting Formal Specifications to Productive Use.” Science of Computer Programming 2, no. 1 (October 1982): 53–68. Wing, Jeannette M. “A Specifier’s Introduction to Formal Methods.” Computer 23, no. 9 (1990): 8–23. Amnon H Eden, Department of Computer Science, University of Essex
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.